Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, unauthenticated, zero-complexity attack; A:H because a single request can fully exhaust inodes, disk, and memory, crashing the application.
Primary rating from Vendor (6b3ad84c-e1a6-4bf7-a703-f496b71e49db).
CVSS VectorVendor: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero.
Because every part whose Content-Disposition carries a non-empty filename creates a fresh temporary file (via Plug.Upload) and retains a Plug.Upload struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured :length limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using Plug.Parsers with the :multipart parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP.
This vulnerability is associated with program files lib/plug/parsers/multipart.ex and program routines Plug.Parsers.MULTIPART.parse_multipart/2, Plug.Parsers.MULTIPART.parse_multipart_headers/5, Plug.Parsers.MULTIPART.parse_multipart_body/4, and Plug.Parsers.MULTIPART.parse_multipart_file/4.
This issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.
AnalysisAI
Denial of service in Elixir's Plug library (versions 1.4.0 through 1.20.2) allows unauthenticated remote attackers to exhaust filesystem inodes, disk space, and server memory via a single crafted multipart HTTP request. The Plug.Parsers.MULTIPART component charges its configurable :length limit only against part body bytes, meaning part headers are never counted and parts with empty bodies cost exactly zero - yet each such part with a filename triggers creation of a Plug.Upload struct and a real temporary file on disk. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The only prerequisite is HTTP reachability of an endpoint that uses Plug.Parsers with the :multipart parser - which includes any file upload form in a Phoenix or Plug-based application. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 6.9 (Medium) with VA:L understates the practical impact for resource-constrained or high-traffic deployments: the description explicitly states the attack leads to inode and disk exhaustion and unbounded memory growth from a single request, which is characteristic of a high availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers a public file-upload endpoint on a Phoenix application and sends a single HTTP POST with Content-Type: multipart/form-data containing several thousand MIME parts, each consisting only of headers (Content-Disposition: form-data; name="f"; filename="x") followed by an empty body. The total request body remains well under the default 8MB :length limit while the server creates thousands of temporary files, rapidly consuming filesystem inodes and disk space, and accumulating Plug.Upload structs in memory until the application process crashes or the OS rejects further file creation. |
| Remediation | Upgrade to a patched release: plug 1.16.6, 1.17.4, 1.18.5, 1.19.5, or 1.20.3, depending on your current minor line. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42873